CVE-2026-32761: File Browser has an Authorization Policy Bypass in Public Share Download Flow
(updated )
A permission enforcement flaw allows users without download privileges (download=false) to still expose and retrieve file content via public share links when they retain share privileges (share=true). This bypasses intended access control policy and enables unauthorized data exfiltration to unauthenticated users. Where download restrictions are used for data-loss prevention or role separation.
References
- github.com/advisories/GHSA-68j5-4m99-w9w9
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/09a26166b4f79446e7174c017380f6db45444e32
- github.com/filebrowser/filebrowser/releases/tag/v2.62.0
- github.com/filebrowser/filebrowser/security/advisories/GHSA-68j5-4m99-w9w9
- nvd.nist.gov/vuln/detail/CVE-2026-32761
Code Behaviors & Features
Detect and mitigate CVE-2026-32761 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →